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In the setting of networked computation, data security can be a significant concern. Here we consider the 
problem of allowing a server to remotely manipulate client supplied data, in such a way that both the information 
obtained by the client about the server's operation and the information obtained by the server about the client's 
data are significantly limited. We present a protocol for achieving such functionality in two closely related 
models of restricted quantum computation - the Boson sampling and quantum walk models. Due to the limited 
technological requirements of the Boson scattering model, small scale implementations of this technique are 
feasible with present-day technology. 



Introduction — Quantum information processing |[T1 allows 
certain key problems, which are believed to be classically 
hard, to be efficiently solved. Well known examples with real 
world applications include Shor's algorithm for integer fac- 
torisation 121 and Grover's search algorithm IJ). One of the 
more promising approaches to implementing quantum algo- 
rithms is linear optics quantum computation (LOQC) EUS), 
where information is encoded into single photons and the their 
wave properties are manipulated using linear optics elements. 
Photons are ideally suited to communication, leading natu- 
rally to models of distributed quantum computation. 

A key consideration in any distributed computation scheme 
is security. Consider two parties, Alice and Bob. Alice has 
some data to which she would like to apply a computation, 
whilst Bob has a quantum computer and an algorithm with 
which he can process the data. However both sides have pro- 
prietary knowledge. Alice wants to keep her data secret from 
others, and Bob wants to keep his algorithm secret. This is 
related to the problem of homomorphic encryption which al- 
lows data to be manipulated without decrypting, so Bob can 
perform a universal set of operations on Alice's data with- 
out ever learning Alice's input state. Universal classical ho- 
momorphic encryption was only first discovered in 2009 
and subsequently simplified fT\. Closely related is blind com- 
puting, where Alice possesses both the data and the algorithm, 
and Bob owns the computer llsmol. as is the quantum private 
queries protocol iHT], which is used to query a database while 
keeping the query secret. 

In this paper we describe a technique for solving the above 
problem, and hence achieving a limited quantum homomor- 
phic encryption using the Boson sampling and multi-walker 
quantum walk models for quantum computation. 

The Boson sampling model — A first protocol for universal 
LOQC was introduced by Knill, Laflamme & Milburn (KLM) 
(lU. While universal for quantum computation, their protocol 
is extremely demanding, requiring fast-feedforward and quan- 
tum memory, which are technologically challenging and well 
beyond the capabilities of present-day experiments. Since 
then numerous simplifications have been proposed, most no- 
tably approaches based on cluster states |12-14|, which sig- 
nificantly reduce physical resource requirements. However 
they remain very demanding to implement. 



Recently Aaronson & Arkhipov I.15J introduced a much 
simplified model for LOQC, known as the Boson sampling 
model. While not believed to be universal, it was shown that 
this protocol very likely implements an algorithm which can- 
not be efficiently classically simulated (efficient classical sim- 
ulation would likely imply a collapse in the polynomial hierar- 
chy, PH ifTSll ). The protocol does away with fast-feedforward 
and quantum memory, requiring only a multi-photon input 
state, a purely linear optics network, and photo-detection. 

In the photon number basis, the input state is of the 
form \^l^i-a) — |li, . . . , Ip, Op+i, . . . , Om), or any permutation 
thereof, where there are p photons and m modes. To the input 
state a unitary map is applied, which implements the trans- 
formation a\ — ^ UijOj on the photon creation operators. 
It was shown by Reck et al. |16| that any such U can be ef- 
ficiently constructed using a linear network comprising only 
beamsplitters and phase-shifters. 

In an occupation number representation, the output state 

is of the form |-0out) = 7sk4^^ "-2"^' • • ■ i"-7v^)' where 
S are the different photon number configurations, 75 are the 

associated amplitudes, and ni is the number of photons in 
mode i given configuration S. Each amplitude is proportional 
to a matrix permanent, whose calculation resides in the com- 
plexity class #P-complete, giving rise to the believed classical 
hardness of calculating the output distribution. 

The multi-walker quantum walk model — Another inter- 
esting approach to LOQC is the quantum walk model ifTTl - 
[T9l . Here our physical system comprises a graph in which 
walkers (i.e. photons) are placed at vertices and are allowed 
to coherently 'hop' along the edges. The restriction to linear 
optics means that we consider only non-interacting walkers. 
The evolution is decomposed into two stages - coin (C) and 
step (S) operations. The coin coherently manipulates an an- 
cillary parameter known as the coin value, while the step op- 
erator updates the position (i.e. vertex) of the walker accord- 
ing to the direction specified by the coin. The evolution of 
the system proceeds by repeated application of coin and step, 
iV'out) = {SCy\ipin)- Rohde et al. |20| recently introduced a 
formalism for multi-walker quantum walks on general graphs. 
Indeed, numerous authors have begun experimentally demon- 
strating elementary optical quantum walks ll2Tlj25l . 
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It can be shown that any unitary map on the photon creation 
operators can be decomposed into a non-interacting quantum 
walk, and similarly any non-interacting quantum walk can be 
expressed as such a unitary network |26 1. As with Boson sam- 
pling, no measurement or feedforward is performed within the 
evolution of the quantum walk. Thus there is a natural iso- 
morphism between the two formalisms. We therefore refer to 
Boson sampling and multi-walker quantum walks on general 
graphs interchangeably. Boson sampling can be regarded as a 
classically hard task performed by a quantum walk. 

Homomorphically encrypted Boson sampling and quantum 
walks — The first step in our protocol is to encode the Boson 
sampling input state into the polarisation basis. Suppose there 
are m modes. Then for every mode in which a photon should 
be present we introduce a photon in the horizontal polarisa- 
tion {H), and for every mode in which no photon should be 
present we introduce a photon in the vertical polarisation {V). 
Thus, there are always exactly m photons in the system and 
the number of iJs in the input state is equal to the number of 
photons in the corresponding non-polarisation-encoded state. 
For example, if the Boson sampling computer is supposed to 
be initialised with the input state |0, 1, 1, 0, 0, 1), we would 
encode this using 6 photons as \4'u-i) = Y^tH^H^V^V^H). 
Next we note that if we employ polarisation-resolving photo- 
detection at the output, and only measure those photons in the 
H polarisation while discarding all V photons, the operation 
of the circuit is identical to the desired Boson sampling com- 
puter, since H and V photons will not interfere. On the other 
hand, if we employ non-polarisation-resolving detectors, the 
output will effectively be corrupted. 

Alice begins by preparing an encoded in- 
put state IV'oncodcd) = i?(^)®'"|V'in), where 

r1//,^ f cosO —sm9\ . ... 

^((') = • /I /I IS a polarisation rotation op- 

^ ' ysmO COS& J 

erator, which can be implemented using wave-plates, d is the 
number of divisions in the choice of rotation angle, and k 
represents the kth division. Alice chooses k randomly in the 
range to d — 1. fc can be regarded as Ahce's private key. 
Thus from Bob's perspective, the encoded state is a mixture 
of input states rotated by different angles, and it is this added 
noise that will allow Alice to hide her data from Bob. With d 
divisions, the basis of each choice of encoded state is rotated 
by 7r/d from the previous. The choice of k is retained only 
by Alice, while the encoded state is communicated to Bob, 
who, not knowing the basis in which to measure, perceives a 
mixed state. At the end of the computation Alice measures 
the output state in the polarisation basis given by R{^), 
allowing perfect reconstruction of the desired output state 
using polarisation-resolving photo-detection. 

Information theoretic analysis — We now consider the se- 
curity of our protocol in the context of Bob's probability of 
correctly inferring Alice's input state. To do so we calculate 
the Holevo information |[T1 of the state sent from Alice to Bob. 
The Holevo quantity provides an upper bound on the amount 
of information Bob can extract from Alice's encoded state. 



Formally, the Holevo quantity of our protocol is given by 

XM = -Tr(plog2p) + — ^ Tr(paog2Pi): 



i=0 



where 



P = 2^Ej=iP" and p, 

EtJ(8)r=i^(^)l^..)m.l^(-^). and IP,,) = \H) 



when the j bit of i is 0, otherwise jP^, 



\v). 



While a closed form for the Holevo information for arbi- 
trary values of d and m is likely too much to hope for, we can 
calculate the scaling of the Holevo information for d ^ m. To 
do this, we first note that since ® JLi \Pij) for the various val- 
ues of i form a complete basis on the space of input states, p 
is the maximally mixed state. Therefore — Tr(plog2 p) — m. 
Next we note that — Tr(pi log2 pi) is independent of i, and 
hence it is sufficient to consider only the case of i = 0. 
We consider the change of basis |0) = (|^^) + 
|1) — {\H) — i\V))/\/2. As po is a mixed state of symmet- 
ric states, it resides entirely in the symmetric subspace, which 
has dimension n + 1. Thus a complete basis is formed by the 
states the symmetric state of m qubits containing ex- 

actly £ qubits in state 1 1), and the rest in state |0) . In this basis, 
the density matrix po is given by 



Pa 




2m / ^ / ^ 

fe=0 a. 6=0 



From this, we can see that the cross terms go to zero for large 

a)kT, 

d — > 0. In such a case the 



d since in this case Z^f^^Q e* 
density matrix is diagonal, and hence we have 



Tr(pi log2 pi) 



— T 

2m Z ^ 

a=0 



l0g2 
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which is simply the entropy of the binomial distribution. This 



value is known to be ^ log2 \ 
the Holevo quantity scales as 

1 



X(m) 



l0g2 



0(l/m), and hence 



O 



0(l/m) bits of 



Hence the protocol hides ^ log2 {■^'^err 
information for suitably large d. 

We note that if Bob has no prior information about Alice's 
chosen state, the probability that Bob correctly infers Alice's 
state can be bounded as follows. Let px be the density ma- 
trix Bob receives from Alice when her input string is X. Bob 
must make a measurement on this state to determine his guess 
for X, which we denote X. Without loss of generality we can 
view Bob's measurement as a POVM with 2™ distinct ele- 
ments {Px}% each corresponding to a unique choice of 

X. Thus the probability of Bob correctly determining whether 
a given state, encoding an input state chosen uniformly at ran- 
dom, corresponds to X is 



P{X = X) 



1 



1 



(2" 



2 

Tr(P^ (I 



2Px))) 
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If is the maximum eigenvalue of then the above prob- 
ability is bounded from above by 

P{X = X) < ^(2"-l-(l-2e;^)Tr(P^)). 

However, as we have shown, for large d the density matrix p 
tends to a binomial distribution over m + 1 states. Thus, the 
maximum eigenvalue of p-^ is given by 2^™(^J^"2j) which 

approaches ^^jixm. Therefore, for sufficiently large m and 
d, we have 

nX^X) < ^(2™-l-(l-V^)Tr(P^)). 
Averaged over all states this gives 

p = ^'yp{x^x) < \[^. 

x=o 

Thus the probability of Bob guessing Alice's input string is 
bounded from above by -y/S/Trm for sufficiently large m and 
d. 

The privacy of Bob's secret is more straight forward to 
prove. As Bob simply performs his secret operation upon Al- 
ice's input and returns it to her, the information Alice ob- 
tains is exactly the same as if she makes a single query to a 
black box function, and so Alice obtains the minimum pos- 
sible information about Bob's secret unitary. The probabil- 
ity of Bob correctly determining Alice's input is substantially 
higher than the exponentially small bound one may hope for, 
but such a strong bound would violate the no-go theorems for 
oblivious transfer and bit commitment |27j.28J. An alternate 
approach for Alice is to run many computations with differ- 
ent input states, where only one is her desired state and the 
remainder are dummies. However, this would allow Alice to 
extract more information about Bob's algorithm and is there- 
fore less desirable for Bob. 

The random attack — The average squared overlap between 
two states encoded with random keys is, 

e 

where h is the Hamming distance between strings a and b, and 
h + h' — m. For a large number of divisions d, the overlap is 
plotted in Fig.[T] 

Note that the overlap is minimised when h = m/2. Thus 
it is easier to discriminate between states with Hamming dis- 
tance close to m/2, and harder to distinguish states with lower 
or higher Hamming distance. One way Bob can make use of 
this property is to choose a key at random and measure all 
photons in this basis. As the measurement basis is virtually 
certain not to be unbiased with respect to the encoding basis, 
the string corresponding to the output of such a measurement 
will then be correlated with either the input string or its com- 
plement. Thus Bob can distinguish between states with Ham- 
ming distance sufficiently close to m/2. 
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FIG. 1: (Colour online) log((|(a|fe)p)) with d = 1024, against the 
number of photons m and the Hamming distance between the strings. 

Nonetheless Bob cannot perfectly infer Alice's se- 
cret input state if he has no prior information on 
the distribution. To see this, we note the overlap be- 
tween H or V, and a rotated H or V, exhibits the 
property \{H\R{e)\H)\^ = \{V\R{0)\V)\^ = cos^9. Conse- 
quently, the probability of Bob's measurement results being 
perfectly correlated with Alice's secret state, given m modes 
and m photons, is \{ip\R{0)'^"''-\ip)\'^ — cos^''"^, where |?/') is 
Alice's input state and 9 is that angle between Alice's chosen 
encoding basis and Bob's measurement basis. 

If Bob choses a polarisation basis at random, the average 
probability that he will successfully infer the correct state is, 

j=0 ^ ^ 

Fig. |2] plots the value of this quantity for a range of values 
of d and m. From it, two trends are clear. First, increasing m 
decreases the probability of correctly identifying Alice's se- 
cret state. Second, increasing d also decreases this probability, 
though it tends to a constant value, consistent with the bounds 
obtained from the Holevo information. For a large number 
of modes lim„i_j.oo Pav — ^/d, and for a large number of di- 
visions limjj^ooPav = r(m+ l/2)/-y7rm!, which scales as 
l/v^Trm for large m. Thus this attack has a success probabil- 
ity close to the theoretical limit of yj%jwm . 

Outlook & conclusion — We note that the described ap- 
proach to security is very specific to the Boson sampling and 
quantum walk models for LOQC, and will not work for the 
KLM protocol. This is because KLM requires adaptive mea- 
surement, which would require Alice disclosing the appropri- 
ate measurement basis to Bob in order for him to perform the 
appropriate measurement and feedforward. Thus, the security 
of this protocol relies on the unique property that there is no 
measurement or feedforward within the circuit. 

A beneficial feature of this protocol is that only one round 
of communication is needed in each direction between Alice 
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FIG. 2: (Colour online) Regions for different levels of confidence 
in the probability that Bob correctly infers Alice's state using a ran- 
domly chosen basis, pav < e. 



and Bob - Alice prepares a mixed state, sends it to Bob to 
which he applies the computation and returns it back to Alice. 
This guarantees that the amount of information revealed about 
Bob's operation is no more than in the ideal case. 

The described approach is technologically trivial. If we 
have the ability to implement Boson sampling or quantum 
walks, they can be encrypted simply with the addition of ran- 
domised wave-plate angles prior to and after the computation. 
Thus the ability to implement encryption of these protocols is 
foreseeable. 

Our protocol relies on Alice performing random rotations 
about the y-axis on the Bloch sphere. However it can be shown 
that more general rotations about a randomly chosen axis do 
not improve the asymptotic security of the scheme. 

A key open question for the multi-walker quantum walk 
model is its applicability. Boson sampling can be regarded as 
an application of quantum walks. However, while shown to be 
likely classically hard to simulate, no specific algorithmic ap- 
plications have been identified. While isomorphic to the Bo- 
son sampling model, the multi-waUcer quantum walk model 
may prove more fruitful for algorithm design, since it is in- 
herently graph theoretic in nature and may therefore naturally 
lend itself to the development of graph theoretic algorithms. 

We emphasise that our protocol does not guarantee that Bob 
learns nothing about Alice's data, but rather that the informa- 
tion Bob obtains is incomplete, asymptotically reducing Bob's 
probability of successfully reconstructing the input or output 
state. The trade-off that must be paid for improved security 
is a large number of randomised rotation settings and a larger 
interferometer. 

In conclusion, we have presented a simple yet effective ap- 
proach to encrypted quantum computation using two recent 
models for LOQC. The requirements for this protocol are well 
within current technological capabilities and could be readily 
implemented with present-day technology. 
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